Add defconfig and board support for HiFive Unmatched.
Signed-off-by: Green Wan <green.wan@sifive.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Rick Chen <rick@andestech.com>
A lot of entries were using spaces instead of tab for alignment that's why
it is good to fix it to use the same style everywhere.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This has the uclass enforce calling detect() before other methods. This
allows drivers to cache information in detect() and perform (cheaper)
retrieval in the other accessors. This also modifies the only instance
where this sequencing was not followed.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This reverts commit 38d6b7ebda.
struct global_data contains a pointer to the bd_info structure. This
pointer was populated spl_set_bd() to a pre-allocated bd_info in the
".data" section. The referenced commit replaced this mechanism to one
that uses malloc(). That new mechanism is only used if SPL_ALLOC_BD=y.
which very few boards do.
The result is that (struct global_data)->bd is NULL in SPL on most
platforms. This breaks falcon mode, since arch_fixup_fdt() tries to
access (struct global_data)->bd and set the "/memory" node in the
devicetree. The result is that the "/memory" node contains garbage
values, causing linux to panic() as it sets up the page table.
Instead of trying to fix the mess, potentially causing other issues,
revert to the code that worked, while this change is reworked.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The 'firmware' property of a config node takes precedence over the
'kernel' property. 'standalone' is deprecated. However, give users a
couple of releases where 'standalone' still works, but warns loudly.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
U-Boot expects the FDT to be located right after the _end
linker symbol (see fdtdec.c: board_fdt_blob_setup())
The "basic" LOAD_FIT path is aware of this limitation, and relocates
the FDT at the expected location. Guessing the expected location
probably only works reliably on 32-bit arm, and it feels like a hack.
One proposal would be to pass the FDT address to u-boot
(e.g. using 'r2' on arm platforms).
The variable is named "fdt_hack" to remind future contributors that,
"hey! we should fix the underlying problem". However, that is beyond
the scope of this patch.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The information on the OS should be contained in the FIT, as the
self-explanatory "os" property of a node under /images. Hard-coding
this to U_BOOT might send us down the wrong path later in the boot
process.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The correct FDT to use is described by the "fdt" property of the
configuration node. When the fit_unamep argument to fit_image_load()
is "fdt", we get the "/images/fdt" node. This is incorrect, as it
ignores the "fdt" property of the config node, and in most cases,
the "/images/fdt" node doesn't exist.
Use NULL for the 'fit_unamep' argument. With NULL, fit_image_load()
uses the IH_TYPE_FLATDT value to read the config property "fdt",
which points to the correct FDT node(s).
fit_image_load() should probably be split into a function that reads
an image by name, and one that reads an image by config reference. I
don't make those decisions, I just point out the craziness.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Commit 4afc4f37c7 ("doc: FIT image: Clarify format and simplify
syntax") and delegated FPGA images to be added via the list of
"loadables" in lieu of the "fpga" property. Now actually implement
this in code.
Note that the "compatible" property is ignored for the time being, as
implementing "compatible" loading is beyond the scope of this change.
However, "u-boot,fpga-legacy" is accepted without warning.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Commit 4afc4f37c7 ("doc: FIT image: Clarify format and simplify
syntax") requires that FPGA images be referenced through the
"loadables" in the config node. This means that "fpga" properties in
config nodes are deprecated.
Given that there are likely FIT images which use "fpga", let's not
break those right away. Print a warning message that such use is
deprecated, and give users a couple of releases to update their
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The FPGA loading code in spl_simple_fit_read() can easily be separated
from the rest of the logic. It is split into two functions instead of
one because spl_fit_upload_fpga() is used in a subsequent patch.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
spl_load_fit_image() will try to load an image at the address given
in the "load" property. Absent such property, it uses
image_info->load_addr
Correct use of this is demonstrated in spl_fit_append_fdt(), which
resets the 'load_addr' before each spl_load_fit_image() call.
On the other hand loading "loadables" loop in spl_load_simple_fit()
completely ignores this. It re-uses the same structure, but doesn't
reset load_addr. If loadable [i] does not have a "load" property, its
load address defaults to load_addr, which still contains the address
of loadable [i - 1].
A simple solution is to treat NULL as an invalid load address. The
caller can set load_addr = 0 to request an abort if the "load"
property is absent.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a weak nand_get_mtd function for nand drivers to provide mtd info
and use this to set pagesize such that reading of non page-aligned
elements can succeed.
The spl_load_simple_fit already handles block block access so all we
need to do is provide the nand writesize as the block length.
Further cleanup of the drivers which use nand_spl_loaders.c such as
am335x_spl_bch.c, atmel_nand.c, and nand_spl_simple.c could be done
using info from mtd_info instead of statically defined details.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
commit 9f6a14c47f ("spl: fit: nand: fix fit loading in case of bad blocks")
added support for adjusting the image offset to account for bad blocks.
However this requires nand_spl_adjust_offset() which requires fully defined
specifics of the NAND chip being used may not be avialable.
Allow skipping this support for drivers or configs which don't specify
the NAND chip details statically with defines.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
In preparation to add SiFive Unmatched board support, let's rename
the existing fu540 board to unleashed.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Leo Yu-Chi Liang <ycliang@andestech.com>
The _SUPPORT suffix is from an earlier time and interferes with use of
the CONFIG_IS_ENABLED() macro. Rename the option to drop the suffix.
Tidy up the TODO that prompted this.
Signed-off-by: Simon Glass <sjg@chromium.org>
We have two separate places that need to figure out the bootstage ID to
use. Put this code in a function so that the logic is in one place.
Signed-off-by: Simon Glass <sjg@chromium.org>
Some systems (e.g. x86 APL) run SPL from read-only memory. The device
instances created by dtoc are therefore not writeable. To make things work
we would need to copy the devices to read/write memory.
To avoid this, add an option to use a separate runtime struct for devices,
just as is done for drivers. This can be used to hold information that
changes at runtime, avoiding the need for a copy.
Also add a Kconfig option for read-only SPL, which selects this feature.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Simon Glass <sjg@chromium.org>
At present this casts addresses to pointers so cannot work with sandbox.
Update the code to use map_sysmem() instead.
As part of this change, the existing load_ptr is renamed to src_ptr since
it is not a pointer to load_addr. It is confusing to use a similar name
for something that is not actually related. For the alignment code,
ALIGN() is used instead of open-coded alignment. Add a comment to the line
that casts away a const.
Use a (new) load_ptr variable to access memory at address load_addr.
Signed-off-by: Simon Glass <sjg@chromium.org>
This is printed twice but we only need one message, since there is very
little processing in between them. Drop the second one, since all branches
of the switch() already have output. Update the U-Boot message to include
the phase being jumped to.
Signed-off-by: Simon Glass <sjg@chromium.org>
When a FIT config specifies a devicetree, we should load it, no
questions asked. In the case of the "simple" FIT loading path, a
difficulty arises in selecting the load address of the FDT.
The default FDT location is right after the "kernel" or "firmware"
image. However, if that is an OP-TEE image, then the FDT may end up in
secure DRAM, and not be accessible to normal world kernels.
Although the best solution is to be more careful about the FDT
address, a viable workaround is to only append the FDT after a u-boot
or Linux image. This is identical to the previous logic, except that
FDT loading is extended to IH_OS_LINUX images.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Use the IS_ENABLED() macro to control code flow, instead of the
caveman approach of sprinkling #ifdefs. Code size is not affected, as
the linker garbage-collects unused functions. However, readability is
improved significantly.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The configuration node a sub node under "/configurations", which
describes the components to load from "/images". We only need to
locate this node once.
However, for each component, spl_fit_get_image_name() would parse the
FIT image, looking for the correct node. Such work duplication is not
necessary. Instead, once the node is found, cache it, and re-use it.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When a desired configuration is not found, conf_node will have a
negative value. Thus the for loop will start at the root "/" node of
the image, print the "/description" property, and stop.
It appears the intent of the loop was to print the names of the
subnodes under "/configurations". We would need the offset to the
"/configurations" node, which is abstracted by fit_find_config_node().
This change agrees that abstracting the node offset is the correct
design, and we shouldn't be parsing the configurations manually. Thus
the loop in spl_fit_get_image_name() is useless. Remove it.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Several loose arguments describe the FIT image. They are thus related,
and it makes sense to pass them together, in a structure. Examples
include the FIT blob pointer, offset to FDT nodes, and the offset to
external data.
Use a spl_fit_info structure to group these parameters.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The logical steps in spl_load_simple_fit() are difficult to follow.
I think the long comments, ifdefs, and ungodly number of variables
seriously affect the readability. In particular, it violates section 6
of the coding style, paragraphs (3), and (4).
The purpose of this patch is to improve the situation by
- Factoring out initialization and parsing to separate functions
- Reduce the number of variables by using a context structure
This change introduces no functional changes.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The size is derived from the FIT image itself. Any alignment
requirements are machine-specific and known by the board code. Thus
the total length can be derived from the FIT image and knowledge of
the platform. The 'length' argument is redundant. Remove it.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
CC: Matt Porter <mporter@konsulko.com>
Move this out of the common header and include it only where needed. In
a number of cases this requires adding "struct udevice;" to avoid adding
another large header or in other cases replacing / adding missing header
files that had been pulled in, very indirectly. Finally, we have a few
cases where we did not need to include <asm/global_data.h> at all, so
remove that include.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
It is useful to know the TEXT_BASE value for the image being loaded in
TPL/SPL. Add a new spl_get_image_text_base() function to handle this.
Make use of this in the x86 SPL handler, instead of having the logic
there.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
It is useful to be able to figure out which phase we are loading next and
which phase we came from. Add some functions to handle this as well as
returning the name of a phase. This allows messages like "Booting to x"
where x is the next phase.
At present, TPL says 'Jumping to U-Boot' at the end, when in fact it is
jumping to SPL. This is confusing, so use the new functions to correct
this.
Tests for this will come with an upcoming minor SPL test refactor.
Signed-off-by: Simon Glass <sjg@chromium.org>
This commit add an option TPL_BOOTCOUNT_LIMIT to
use bootcount on TPL.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
H616 supports and needs bigger SPL than 32 KiB, mostly due to big DRAM
driver and need for PMIC configuration, which pulls several drivers which
are not needed otherwise.
spl_mmc_get_uboot_raw_sector() will now compare pre-configured size with
that, reported in SPL header. If size in header is bigger, it will use
that value instead.
In the process of function rework, also add missing function argument.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Reviewed-by: Samuel Holland <samuel@sholland.org>
It turns out that there are at least 2 other SoCs which have basically
the same memory map, similar clocks and other features as H6. It's very
likely that we'll see more such SoCs in the future. In order to ease
porting to new SoCs and lower ifdef clutter, introduce common symbol for
them.
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Reviewed-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
When the hash check fails on a loadable image, the SPL/TPL simply
jump to the next one. This commit changes this behaviour, when the
hash check fails on a loadable image, the function spl_load_simple_fit
stops and report an error.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
CONFIG_HANDOFF is used in u-boot proper to locate handoff info from SPL
during pre-relocation init (in setup_spl_handoff). Add explicit dependency
on CONFIG_SPL, to fix the following build error when CONFIG_HANDOFF &&
!CONFIG_SPL:
common/board_f.c: In function ‘setup_spl_handoff’:
common/board_f.c:283:4: error: ‘gd_t {aka struct global_data}’
has no member named ‘spl_handoff’
gd->spl_handoff = bloblist_find(BLOBLISTT_SPL_HANDOFF,
^~
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This uses up space in the SPL binary but it always starts as zero. Also
some boards cannot support data in TPL (e.g. Intel Apollo Lake).
Use malloc() to allocate this structure instead, by moving the init a
little later, after malloc() is inited. Make this function optional since
it pulls in malloc().
This reduces the TPL binary size on coral by about 64 bytes
Signed-off-by: Simon Glass <sjg@chromium.org>
Fit images were loaded to a buffer provided by spl_get_load_buffer().
This may work when the FIT image is small and fits between the start
of DRAM and SYS_TEXT_BASE.
One problem with this approach is that the location of the buffer may
be manipulated by changing the 'size' field of the FIT. A maliciously
crafted FIT image could place the buffer over executable code and be
able to take control of SPL. This is unacceptable for secure boot of
signed FIT images.
Another problem is with larger FIT images, usually containing one or
more linux kernels. In such cases the buffer be be large enough so as
to start before DRAM (Figure I). Trying to load an image in this case
has undefined behavior.
For example, on stm32mp1, the MMC controller hits a RX overrun error,
and aborts loading.
_________________
| FIT Image |
| |
/===================\ /=====================\
|| DRAM || | DRAM |
|| || | |
||_________________|| SYS_TEXT_BASE | ___________________ |
| | || FIT Image ||
| | || ||
| _________________ | SYS_SPL_MALLOC_START || _________________ ||
|| malloc() data || ||| malloc() data |||
||_________________|| |||_________________|||
| | ||___________________||
| | | |
Figure I Figure II
One possibility that was analyzed was to remove the negative offset,
such that the buffer starts at SYS_TEXT_BASE. This is not a proper
solution because on a number of platforms, the malloc buffer() is
placed at a fixed address, usually after SYS_TEXT_BASE. A large
enough FIT image could cause the malloc()'d data to be overwritten
(Figure II) when loading.
/======================\
| DRAM |
| |
| | CONFIG_SYS_TEXT_BASE
| |
| |
| ____________________ | CONFIG_SYS_SPL_MALLOC_START
|| malloc() data ||
|| ||
|| __________________ ||
||| FIT Image |||
||| |||
||| |||
Figure III
The solution proposed here is to replace the ad-hoc heuristics of
spl_get_load_buffer() with malloc(). This provides two advantages:
* Bounds checking of the buffer region
* Guarantees the buffer does not conflict with other memory
The first problem is solved by constraining the buffer such that it
will not overlap currently executing code. This eliminates the chance
of a malicious FIT being able to replace the executing SPL code prior
to signature checking.
The second problem is solved in conjunction with increasing
CONFIG_SYS_SPL_MALLOC_SIZE. Since the SPL malloc() region is
carefully crafted on a per-platform basis, the chances of memory
conflicts are virtually eliminated.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
bl2_to_bl31_params_mem is just an implementation detail of the SPL ATF
support and is not needed anywhere else. Move it from the header to the
actual module.
Signed-off-by: Michael Walle <michael@walle.cc>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Move the actual implementation of the bl2_plat_get_bl31_params() to its
own function. The weak function will just call the default
implementation. This has the advantage that board code can still call
the original implementation if it just want to modify minor things.
Signed-off-by: Michael Walle <michael@walle.cc>
There is no need to have the storage available globally. This is also a
preparation for LOAD_IMAGE_V2 support. That will introduce a similar
generator function which also has its own storage.
Signed-off-by: Michael Walle <michael@walle.cc>
Acked-by: Michal Simek <michal.simek@xilinx.com>
This commit add the support of signature check for config node
in spl/tpl when the function spl_load_simple_fit is used.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This uclass is intended to provide a way to obtain information about a
U-Boot board. But the concept of a U-Boot 'board' is the whole system,
not just one circuit board, meaning that 'board' is something of a
misnomer for this uclass.
In addition, the name 'board' is a bit overused in U-Boot and we want to
use the same uclass to provide SMBIOS information.
The obvious name is 'system' but that is so vague as to be meaningless.
Use 'sysinfo' instead, since this uclass is aimed at providing information
on the system.
Rename everything accordingly.
Note: Due to the patch delta caused by the symbol renames, this patch
shows some renamed files as being deleted in one place and created in
another.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
SPL is creating fit-images DT node when loadables are recorded in selected
configuration. Entries which are created are using entry-point and
load-addr property names. But there shouldn't be a need to use non standard
properties because entry/load are standard FIT properties. But using
standard FIT properties enables option to use generic FIT functions to
descrease SPL size. Here is result for ZynqMP virt configuration:
xilinx_zynqmp_virt: spl/u-boot-spl:all -82 spl/u-boot-spl:rodata -22 spl/u-boot-spl:text -60
The patch causes change in run time fit image record.
Before:
fit-images {
uboot {
os = "u-boot";
type = "firmware";
size = <0xfd520>;
entry-point = <0x8000000>;
load-addr = <0x8000000>;
};
};
After:
fit-images {
uboot {
os = "u-boot";
type = "firmware";
size = <0xfd520>;
entry = <0x8000000>;
load = <0x8000000>;
};
};
Replacing calling fdt_getprop_u32() by fit_image_get_entry/load() also
enables support for reading entry/load properties recorded in 64bit format.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The sandbox is built with the SDL2 library with invokes the X11 library
which in turn calls getc(). But getc() in glibc is defined as
int getc(FILE *)
This does not match our definition.
int getc(void)
The sandbox crashes when called with parameter -l.
Rename our library symbol getc() to getchar().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
CONFIG_{SPL,TPL}_SIZE_LIMIT are defined as hex (SPL_SIZE_LIMIT was
converted in b51882d0 ("spl: Convert CONFIG_SPL_SIZE_LIMIT to hex"), but
there are still places that reference integer values. Change those to hex
as well. Also, update the Makefile to check for 0x0 instead of 0.
This also fixes the following build error when CONFIG_SPL_SIZE_LIMIT
is set by menuconfig to 0x0:
...
spl/u-boot-spl.bin exceeds file size limit:
limit: 0 bytes
actual: 0x80f0 bytes
excess: 0x80f0 bytes
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Some boards, specifically 64-bit Allwinner boards (sun50i), are
extremely limited on SPL size. One strategy that was used to make space
was to remove the FIT "os" property parsing code, because it uses a
rather large lookup table.
However, this forces the legacy FIT parsing code path, which requires
the "firmware" entry in the FIT to reference the U-Boot binary, even if
U-Boot is not the next binary in the boot sequence (for example, on
sun50i boards, ATF is run first).
This prevents the same FIT image from being used with a SPL with
CONFIG_SPL_FIT_IMAGE_TINY=n and CONFIG_SPL_ATF=y, because the boot
method selection code looks at `spl_image.os`, which is only set from
the "firmware" entry's "os" property.
To be able to use CONFIG_SPL_ATF=y, the "firmware" entry in the FIT
must be ATF, and U-Boot must be a loadable. For this to work, we need to
parse the "os" property just enough to tell U-Boot from other images, so
we can find it in the loadables list to append the FDT, and so we don't
try to append the FDT to ATF (which could clobber adjacent firmware).
So add the minimal code necessary to distinguish U-Boot/non-U-Boot
loadables with CONFIG_SPL_FIT_IMAGE_TINY=y. This adds about 300 bytes,
much less than the 7400 bytes added by CONFIG_SPL_FIT_IMAGE_TINY=n.
Acked-by: Patrick Wildt <patrick@blueri.se>
Signed-off-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Jagan Teki <jagan@amarulasolutions.com>
This reverts commit eb39d8ba5f.
The commit breaks booting of fitImage by SPL, the system simply hangs.
This is because on arm32, the fitImage and all of its content can be
aligned to 4 bytes and U-Boot expects just that.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Reuben Dowle <reuben.dowle@4rf.com>
Cc: Tom Rini <trini@konsulko.com>
Signed-off-by: Marek Vasut <marex@denx.de>